Endpoint Protection

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

SEP 14 Scheduled Tasks??

  • 1.  SEP 14 Scheduled Tasks??

    Posted Dec 13, 2016 04:53 PM

    Sometimes I'm a bit slow, and don't notice all the intricacies of new SEP builds. Take for example SEP 14, I just happen to notice the new Task Manager group "Symantec Endpoint Protection", and the three new tasks (Norton Autofix, Norton Error Analyzer and Norton Error Processor). Sadly I cannot reach the SEP 14 release notes website, where I'm sure these tasks are covered. While I can probably guess what each of them do, what I'd really like to know is how to remove them from my install package before I deploy to my enterprise.

    Thanks for your time,

    -Mike



  • 2.  RE: SEP 14 Scheduled Tasks??

    Posted Dec 13, 2016 05:36 PM
    Agree. I monitor scheduled tasks with application control and have seen these undocumented features. I've also seen sporadically that taskeng.exe (scheduled task) starts an application called livepatch.exe from the SEP programdata path. This also happens with SEP 12.1.7004 clients. Would be nice to know what this is for and why only a few clients run this task?


  • 3.  RE: SEP 14 Scheduled Tasks??

    Posted Dec 14, 2016 12:11 PM

    Well I was wrong, after looking at both the SEP 14 and SEP 12.1.6.6 release notes (and the Administration Guide), I see no mention of either the new "Scheduled Tasks", or the functionality of "LivePatch.exe", as mentioned by TORB above.

    Anyone "in the know" care to comment, someone from Symantec maybe? Having processes, unbenounced to us, kicking off in the background is a big no no. Unless we can get some information on these issues, SEP 14 will remain on our DEV server only.

    -Mike



  • 4.  RE: SEP 14 Scheduled Tasks??

    Posted Dec 15, 2016 09:52 AM

    In case anyone is interested, or following this thread, here is the latest reply I've gotten from my support case on this issue/question.

    After further investigation by engaging our engineering, it appears those scheduled tasks are related to Symantec telemetry to monitor for product issues and errors. Livepath.exe is meant to silently apply critical product patches and updates.
    None of them are meant for direct user's control or customization.
    Public documentation about them are still under review.
    Is there anything else I can do for you.

    Needless to say I had more questions...my investigation continues.

    -Mike



  • 5.  RE: SEP 14 Scheduled Tasks??

    Posted Dec 15, 2016 09:58 AM

    Is it possible to permanently disable? Or will them come back on reboot and/or during a product upgrade.



  • 6.  RE: SEP 14 Scheduled Tasks??

    Posted Dec 15, 2016 10:12 AM

    I deleted them, and reboot brought them back to life. I disabled them, and a reboot re-enabled them.



  • 7.  RE: SEP 14 Scheduled Tasks??

    Posted Dec 15, 2016 10:46 AM

    /head desk



  • 8.  RE: SEP 14 Scheduled Tasks??

    Posted Dec 15, 2016 12:00 PM

    Here is the latest information from Symantec:

    I went further with my investigation to answer your concerns.

    Even if at the moment I don't have an article explicitly talking about those scheduled tasks, the telemetry they are serving is fully explained here:
    http://www.symantec.com/docs/HOWTO124992

    The general SEP Privacy Notice is available here:
    https://www.symantec.com/content/dam/symantec/docs/policies/endpoint-protection-privacy-notice-en.pdf

    Both of them are shown to you for review and acceptance at installation time and it appears you may toggle telemetry from SEPM 14 console.

    About "patches", to be precise, we are talking about updating some scan engines or libraries along with new antivirus definitions to ensure the product can handle new threats. Malware is evolving too fast to wait for new full product releases; without such updates the product will rapidly become obsolete not differently than having old definitions. This is not a new feature added in SEP 14. I understand you may have some concerns about such patches and no system change is completely without risks, indeed; yet, the risk of generic incidents due to those patches is much lower than facing security incidents due to their absence.

    Please, let me know if there's something else you need.



  • 9.  RE: SEP 14 Scheduled Tasks??

    Posted Dec 15, 2016 12:00 PM

    What affect does turning this off from the SEPM console have on the clients? I assume they still remain and run as scheduled tasks?



  • 10.  RE: SEP 14 Scheduled Tasks??

    Posted Dec 15, 2016 01:10 PM

    Good to know. Would still be nice to know why they are run as scheduled task and not just as part of the product. Especially livepatch.exe. I monitor thousands of SEP clients, but have only seen livepatch run less than 10 times. Maybe its only created as a scheduled task if SEP detects pending reboots or something?

    But if it gives added protection and removes vulnerabilites without requiring a full upgrade its actually just good thing. Sometimes being curious just creates more questions :)

     

     

     

     



  • 11.  RE: SEP 14 Scheduled Tasks??

    Posted Dec 15, 2016 02:45 PM

    Yes, you are correct, disabling the telemetry collection had no affect on the 3 scheduled tasks..that said, I do have one machine (happens to be a server) where the "Norton Autofix" task is absent. I'm trying to correlate that task to a specific policy, or if the fact it's running a server OS is what made the difference.



  • 12.  RE: SEP 14 Scheduled Tasks??

    Posted Dec 15, 2016 02:54 PM

    TORB...I get your point regarding curiousity and additional questions, but from where I (and my management) sit, full disclosure is paramount. If someone sent me a white paper on those tasks, and then gave me the ability to shut them off as I, and our Cyber Security Team, see fit...then this topic would be closed. I'm also curious as to why their not part of the product, but I'm sure that's another story all on its own. ;-)

    -Mike